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HIGH-RISK SERIES 

Urgent Actions Are Needed to Address Cybersecurity 
Chaiienges Facing the Nation 


What GAO Found 

GAO has identified four major cybersecurity chaiienges and 10 criticai actions 
that the federai government and other entities need to take to address them. 
GAO continues to designate information security as a government-wide high-risk 
area due to increasing cyber-based threats and the persistent nature of security 
vuinerabiiities. 


Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges 

Major challenges Critical actions needed 



Establishing a 
comprehensive 
cybersecurity strategy 
and performing 
effective oversight 


I 

i 


Securing federal 
systems and 
information 


r 


Protecting cyber 
critical infrastructure 


Protecting 
privacy and 
sensitive data 



Develop and execute a more comprehensive federal 
strategy for national cybersecurity and global cyberspace. 


Mitigate global supply chain risks (e.g., installation of 
malicious software or hardware). 


MB Address cybersecurity workforce management challenges. 


Ensure the security of emerging technologies 
(e.g., artificial intelligence and Internet of Things). 


Improve implementation of government-wide 
cybersecurity initiatives. 

Address weaknesses in federal agency 
information security programs. 


Enhance the federal response to cyber incidents. 


Strengthen the federal role in protecting the cybersecurity 
of critical infrastructure (e.g., electricity grid and 
telecommunications networks). 

Improve federal efforts to protect privacy and 
sensitive data. 





, , Appropriately limit the collection and use of personal 

information and ensure that it is obtained with appropriate 
knowledge or consent. 


Source: GAO analysis. | GAO-18-645T 


GAO has made over 3,000 recommendations to agencies aimed at addressing 
cybersecurity shortcomings in each of these action areas, inciuding protecting 
cyber criticai infrastructure, managing the cybersecurity workforce, and 
responding to cybersecurity incidents. Aithough many recommendations have 
been addressed, about 1,000 have not yet been impiemented. Untii these 
shortcomings are addressed, federai agencies’ information and systems wiii be 
increasingiy susceptibie to the muititude of cyber-reiated threats that exist. 
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Chairmen Meadows and Hurd, Ranking Members Connolly and Kelly, 
and Members of the Subcommittees: 

I appreciate the opportunity to be here today to participate in your hearing 
on cybersecurity challenges. Federal agencies and our nation’s critical 
infrastructures''—such as energy, transportation systems, 
communications, and financial services—are dependent on information 
technology (IT) systems and electronic data to carry out operations and to 
process, maintain, and report essential information. The security of these 
systems and data is vital to public confidence and national security, 
prosperity, and well-being. 

Many of these systems contain vast amounts of personally identifiable 
information (Pll),^ thus making it imperative to protect the confidentiality, 
integrity, and availability of this information and effectively respond to data 
breaches and security incidents, when they occur. Underscoring the 
importance of this issue, we continue to designate information security as 
a government-wide high-risk area in our most recent biennial report to 
Congress—a designation we have made in each report since ^Q97.^ 

The risks to IT systems supporting the federal government and the 
nation’s critical infrastructure are increasing as security threats continue 
to evolve and become more sophisticated. These risks include insider 


^The term “critical infrastructure” as defined in the Uniting and Strengthening America by 
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 
(USA PATRIOT Act) refers to systems and assets so vital to the United States that their 
incapacity or destruction would have a debilitating impact on security, national economic 
security, national public health or safety, or any combination of these. 42 U.S.C. 
§5195c(e). Federal policy identifies 16 critical infrastructures: chemical; commercial 
facilities; communications; critical manufacturing; dams; defense industrial base; 
emergency services; energy; financial services; food and agriculture; government 
facilities; health care and public health; information technology; nuclear reactors, 
materials, and waste; transportation systems; and water and wastewater systems. 

^Pll is any information that can be used to distinguish or trace an individual’s identity, such 
as name, date and place of birth, or Social Security number, and other types of personal 
information that can be linked to an individual, such as medical, educational, financial, and 
employment information. 

^See GAO, High-Risk Series: An Update, GAO-17-317 (Washington, D.C.: February 
2017) and High Risk Series: An Overview, GAO-HR-97-1 (Washington, D.C.: February 
1997). GAO maintains a high-risk program to focus attention on government operations 
that it identifies as high risk due to their greater vulnerabilities to fraud, waste, abuse, and 
mismanagement or the need for transformation to address economy, efficiency, or 
effectiveness challenges. 
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threats from witting or unwitting employees, escalating and emerging 
threats from around the globe, steady advances in the sophistication of 
attack technology, and the emergence of new and more destructive 
attacks. 

In particular, foreign nations—where adversaries may possess 
sophisticated levels of expertise and significant resources to pursue their 
objectives—pose increasing risks. Rapid developments in new 
technologies, such as artificial intelligence and the Internet of Things 
(loT),"^ makes the threat landscape even more complex and can also 
potentially introduce security, privacy, and safety issues that were 
previously unknown. 

Compounding these risks, IT systems are often riddled with security 
vulnerabilities—both known and unknown. These vulnerabilities can 
facilitate security incidents and cyberattacks that disrupt critical 
operations; lead to inappropriate access to and disclosure, modification, 
or destruction of sensitive information; and threaten national security, 
economic well-being, and public health and safety. This is illustrated by 
significant security breaches reported by the Office of Personnel 
Management (0PM) in 2015 that resulted in the loss of Pll for an 
estimated 22.1 million individuals and, more recently, in 2017, a security 
breach reported by Equifax—one of the nation’s largest credit bureaus— 
that resulted in the loss of Pll for an estimated 148 million U.S. 
consumers. 

At your request, my testimony updates the information security high-risk 
area by identifying actions that the federal government and other entities 
need to take to address cybersecurity challenges facing the nation. This 
statement reflects work we conducted since the prior high-risk update 
was issued in February 2017, among other things.® We also plan to issue 
an updated assessment of this high-risk area in February 2019. 

In conducting the work for this update, we first identified cybersecurity 
areas in which the federal government has experienced challenges. To 
do so, we primarily reviewed our prior work issued since the start of fiscal 
year 2016 related to privacy, critical federal functions, and cybersecurity 


"*loT refers to the technologies and devices that sense information and communicate it to 
the Internet or other networks and, in some cases, act on that information. 

®GAO-17-317. 
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incidents, among other areas (see appendix I for a list of our prior work). 
We also reviewed recent cybersecurity policy and strategy documents 
issued by the current administration, such as Executive Order 13800, 
Strengthening the Cybersecurity of Federai Networks and Criticai 
infrastructure,^ the National Security Strategy,^ and the Department of 
Homeland Security’s (DHS) May 2018 cybersecurity strategy.® We then 
analyzed these documents to determine the extent to which they included 
GAO’S desirable characteristics of a national strategy.® We also reviewed 
recent media and information security industry reports of cyberattacks 
and security breaches. Based on these actions, we identified four 
cybersecurity areas in which federal agencies had experience challenges. 

To identify the actions needed to address each challenge area, we 
reviewed the findings of our work specific to each challenge, the status of 
our prior recommendations to the Executive Office of the President and 
federal agencies, and any actions taken by these entities to address our 
recommendations. In reviewing the status of prior recommendations, we 
also determined which recommendations had not been implemented and 
what additional actions, if any, the Executive Office of the President and 
federal agencies needed to take in order to address them. We then 
summarized the actions needed and the status of our prior 
recommendations. We also identified our ongoing work related to each 
action. 

We conducted the work on which this testimony is based in accordance 
with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, appropriate 


®Exec. Order No. 13800, 82 Fed Reg. 22391 (May 16, 2017). 

^The President of the United States, National Security Strategy of the United States of 
America, (Washington, D.C.: Dec. 2017). 

®DHS, U.S. Department of Homeland Security Cybersecurity Strategy, (Washington, D.C.: 
May 2018). DHS has broad authorities to improve and promote cybersecurity of federal 
and private-sector networks. Specifically, long-standing federal policy as promulgated by a 
presidential policy directive, executive orders, and the National Infrastructure Protection 
Plan have designated DHS as a lead federal agency for coordinating, assisting, and 
sharing information with the private-sector to protect critical infrastructure from cyber 
threats. 

®ln 2004, we developed a set of desirable characteristics that can enhance the usefulness 
of national strategies in allocating resources, defining policies, and helping to ensure 
accountability. (GAO, Combating Terrorism: Evaluation of Selected Characteristics in 
National Strategies Related to Terrorism, GAO-04-408T (Washington, D.C.: Feb. 3, 2004). 
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evidence to provide a reasonable basis for our findings and conclusions 
based on our audit objectives. We believe that the evidence obtained 
provides a reasonable basis for our findings and conclusions based on 
our audit objectives. 


Background 


IT systems supporting federal agencies and our nation’s critical 
infrastructures are inherently at risk. These systems are highly complex 
and dynamic, technologically diverse, and often geographically dispersed. 
This complexity increases the difficulty in identifying, managing, and 
protecting the numerous operating systems, applications, and devices 
comprising the systems and networks. 

Compounding the risk, federal systems and networks are also often 
interconnected with other internal and external systems and networks, 
including the Internet. This increases the number of avenues of attack 
and expands their attack surface. As systems become more integrated, 
cyber threats will pose an increasing risk to national security, economic 
well-being, and public health and safety. 

Advancements in technology, such as data analytics software for 
searching and collecting information, have also made it easier for 
individuals and organizations to correlate data (including PM) and track it 
across large and numerous databases. For example, social media has 
been used as a mass communication tool where PM can be gathered in 
vast amounts. In addition, ubiquitous Internet and cellular connectivity 
makes it easier to track individuals by allowing easy access to information 
pinpointing their locations. These advances—combined with the 
increasing sophistication of hackers and others with malicious intent, and 
the extent to which both federal agencies and private companies collect 
sensitive information about individuals—have increased the risk of PM 
being exposed and compromised. 

Cybersecurity incidents continue to impact entities across various critical 
infrastructure sectors. For example, in its 2018 annual data breach 
investigations report,Verizon reported that 53,308 security incidents 
and 2,216 data breaches were identified across 65 countries in the 12 
months since its prior report. Further, the report noted that cybercriminals 
can often compromise a system in just a matter of minutes—or even 


^°Verizon, 2018 Data Breach Investigation Report-llth Edition, April 2018. 
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seconds, but that it can take an organization significantly longer to 
discover the breach. Specifically, the report stated nearly 90 percent of 
the reported breaches occurred within minutes, while nearly 70 percent 
went undiscovered for months. 

These concerns are further highlighted by the number of information 
security incidents reported by federal executive branch civilian agencies 
to DHS’s U.S. Computer Emergency Readiness Team (US-CERT).^^ For 
fiscal year 2017, 35,277 such incidents were reported by the Office of 
Management and Budget (0MB) in its 2018 annual report to Congress, 
as mandated by the Federal Information Security Modernization Act 
(FISMA).''^ These incidents include, for example, web-based attacks, 
phishing, and the loss or theft of computing equipment. 

Different types of incidents merit different response strategies. However, 
if an agency cannot identify the threat vector (or avenue of attack), it 
could be difficult for that agency to define more specific handling 
procedures to respond to the incident and take actions to minimize similar 
future attacks. In this regard, incidents with a threat vector categorized as 
“other” (which includes avenues of attacks that are unidentified) made up 
31 percent of the various incidents reported to US-CERT. Figure 1 shows 
the percentage of the different types of incidents reported across each of 
the nine threat vector categories for fiscal year 2017, as reported by 
OMB. 


US-CERT, a branch of DHS’s National Cybersecurity and Communications Integration 
Center, is a central Federal information security incident center that compiles and 
analyzes information about incidents that threaten information security. Federal agencies 
are required to report such incidents to US-CERT. 

^^The Federal Information Security Modernization Act of 2014 was enacted as Pub. L. No. 
113-283, 128 Stat. 3073 (Dec. 18, 2014), and amended chapter 35 of Title 44, U.S. Code. 

^^Phishing is a digital form of social engineering that uses authentic-looking, but fake, e- 
mails to request information from users or direct them to a fake website that requests 
information. 

14 

A threat vector (or avenue of attack) specifies the conduit or means used by the source 
or attacker to initiate a cyberattack. US-CERT’s Federal Incident Notification Guidelines 
specify nine potential attack vectors agencies should use to describe incident security 
incidents during reporting. 
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Figure 1: Federal Information Security Incidents by Threat Vector Category, Fiscal Year 2017 


35,277 total information security incidents 


< 1 % 


Multiple attack vectors 

An attack that uses two or more of the 
attack types in combination 


Web 


An attack executed from a website 
or web-based application 


Loss or theft of equipment 

The loss or theft of a computing device or media 
used by the organization 


Email/phishing - 

An attack executed via an emaii 
message or attachment 



Attrition 

An attack that empioys brute force 
methods to compromise, degrade, or 
destroy systems, networks, or services 

External/removable media 

An attack executed from removabie media 
or a peripherai device 

Physical cause 

An attack or accident initiated in the 
physicai reaim 


Other 

An attack method does not fit into any 
other type or is unidentified 


Improper usage 

Any incident resuiting from violation of an 
organization’s acceptable usage policies by 
an authorized user that is not reported as 
part of another threat vector category 


Source: GAO analysis of United States Computer Emergency Readiness Team and Office of Management and Budget data for fiscal year 2017. | GAO-18-645T 


These incidents and others like them can pose a serious challenge to 
economic, national, and personal privacy and security. The following 
examples highlight the impact of such incidents: 

• In March 2018, the Mayor of Atlanta, Georgia reported that the city 
was victimized by a ransomware^® cyberattack. As a result, city 


^®According to DHS, ransomware is a type of malicious software cyber actors use to deny 
access to systems or data. The malicious cyber actor holds systems or data hostage until 
the ransom is paid. After the initial infection, the ransomware attempts to spread to shared 
storage drives and other accessible systems. If the demands are not met, the system or 
encrypted data remains unavailable, or data may be deleted. 
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government officials stated that customers were not able to access 
multiple applications that are used to pay bills or access court related 
information. In response to the attack, the officials noted that they 
were working with numerous private and governmental partners, 
including DHS, to assess what occurred and determine how best to 
protect the city from future attacks. 

• In March 2018, the Department of Justice reported that it had indicted 
nine Iranians for conducting a massive cybersecurity theft campaign 
on behalf of the Islamic Revolutionary Guard Corps. According to the 
department, the nine Iranians allegedly stole more than 31 terabytes 
of documents and data from more than 140 American universities, 30 
U.S. companies, and five federal government agencies, among other 
entities. 

• In March 2018, a joint alert from DHS and the Federal Bureau of 
Investigation (FBI)''® stated that, since at least March 2016, Russian 
government actors had targeted the systems of multiple U.S. 
government entities and critical infrastructure sectors. Specifically, the 
alert stated that Russian government actors had affected multiple 
organizations in the energy, nuclear, water, aviation, construction, and 
critical manufacturing sectors. 

• In July 2017, a breach at Equifax resulted in the loss of Pll for an 
estimated 148 million U.S. consumers. According to Equifax, the 
hackers accessed people’s names. Social Security numbers (SSN), 
birth dates, addresses and, in some instances, driver’s license 
numbers. 

• In April 2017, the Commissioner of the Internal Revenue Service 
(IRS) testified that the IRS had disabled its data retrieval tool in early 
March 2017 after becoming concerned about the misuse of taxpayer 
data. Specifically, the agency suspected that Pll obtained outside the 
agency’s tax system was used to access the agency’s online federal 
student aid application in an attempt to secure tax information through 
the data retrieval tool. In April 2017, the agency began notifying 
taxpayers who could have been affected by the breach. 

• In June 2015, 0PM reported that an intrusion into its systems had 
affected the personnel records of about 4.2 million current and former 
federal employees. Then, in July 2015, the agency reported that a 


'®The FBI is the lead federal agency for investigating cyber-attacks by criminals, overseas 
adversaries, and terrorists. The agency’s Cyber Division leads efforts to investigate 
computer intrusions, theft of intellectual property and personal information, child 
pornography and exploitation, and online fraud. 
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separate, but related, incident had compromised its systems and the 
files related to background investigations for 21.5 million individuals. 
In total, 0PM estimated 22.1 million individuals had some form of Pll 
stolen, with 3.6 million being a victim of both breaches. 


Federal Information 
Security Included on 
GAO’S High-Risk List 
Since 1997 


Safeguarding federal IT systems and the systems that support critical 
infrastructures has been a long-standing concern of GAO. Due to 
increasing cyber-based threats and the persistent nature of information 
security vulnerabilities, we have designated information security as a 
government-wide high-risk area since 1997.''^ In 2003, we expanded the 
information security high-risk area to include the protection of critical 
cyber infrastructure.''® At that time, we highlighted the need to manage 
critical infrastructure protection activities that enhance the security of the 
cyber and physical public and private infrastructures that are essential to 
national security, national economic security, and/or national public health 
and safety. 

We further expanded the information security high-risk area in 2015''® to 
include protecting the privacy of Pll. Since then, advances in technology 
have enhanced the ability of government and private sector entities to 
collect and process extensive amounts of Pll, which has posed 
challenges to ensuring the privacy of such information. In addition, high- 
profile Pll breaches at commercial entities, such as Equifax, heightened 
concerns that personal privacy is not being adequately protected. 

Our experience has shown that the key elements needed to make 
progress toward being removed from the High-Risk List are top-level 
attention by the administration and agency leaders grounded in the five 
criteria for removal, as well as any needed congressional action. The five 
criteria for removal that we identified in November 2000 are as follows:^® 


^^GAO-HR-97-1. 

^®See GAO, High-Risk Series: An Update, GAO-03-119 (Washington, D.C.: January 
2003). 

^®See GAO, High-Risk Series: An Update, GAO-15-290 (Washington, D.C.: February 
2015). 

'?0 

GAO, Determining Performance and Accountabiiity Chaiienges and High Risks, 
GAO-01-159SP (Washington, D.C.: November 2000). 
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• Leadership Commitment. Demonstrated strong commitment and top 
leadership support. 

• Capacity. The agency has the capacity (i.e., people and resources) to 
resolve the risk(s). 

• Action Pian. A corrective action plan exists that defines the root 
cause, solutions, and provides for substantially completing corrective 
measures, including steps necessary to implement solutions we 
recommended. 

• Monitoring. A program has been instituted to monitor and 
independently validate the effectiveness and sustainability of 
corrective measures. 

• Demonstrated Progress. Ability to demonstrate progress in 
implementing corrective measures and in resolving the high-risk area. 


These five criteria form a road map for efforts to improve and ultimately 
address high-risk issues. Addressing some of the criteria leads to 
progress, while satisfying all of the criteria is central to removal from the 
list. Figure 2 shows the five criteria and illustrative actions taken by 
agencies to address the criteria. Importantly, the actions listed are not 
“stand alone” efforts taken in isolation from other actions to address high- 
risk issues. That is, actions taken under one criterion may be important to 
meeting other criteria as well. For example, top leadership can 
demonstrate its commitment by establishing a corrective action plan 
including long-term priorities and goals to address the high-risk issue and 
using data to gauge progress—actions which are also vital to monitoring 
criteria. 
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Figure 2: Criteria for Removai from the High-Risk List and Exampies of Actions Leading to Progress 



Top leadership 
support 


LEADERSHIP 

COMMITMENT 

ACTIONS 


Developing 

Organizational Changes 
and Initiatives 

■ 

Establishing High-Level 
Governance Structures 

I 

Establishing Long-Term 
Priorities and Goals 

I 

Improving Collaboration 
through Networks or 
Establishing 
Memorandums of 
Understanding/ 
Agreements with Other 
Agencies 

I 

Initiating or Implementing 
Legislation and Issuing 
an Executive Order/ 
Presidential Initiative 

I 

Issuing Agency 
Leadership Directives 

I 

Providing Continuing 
Oversight and 
Accountability 



People and 
resources 


CAPACITY 

ACTIONS 


Allocating or 
Reallocating Funds 
or Staff 

■ 

Establishing and 
Maintaining Procedures 
or Systems 

I 

Establishing Work 
Groups with Specific 

Responsibilities 

I 

Improved Collaboration 
with other Agencies, 
Stakeholders, and the 
Private Sector 

I 

Providing Guidance and 
Training to Staff and 
Addressing Skills Gaps 



Root causes and 
corrective measures 


ACTION PLAN 
ACTIONS 


Establishing Goals and 
Performance Measures 

■ 

Identifying and Analyzing 
Root Causes of 
Problems 

I 

Identifying Critical 
Actions and Outcomes to 
Address Root Causes 

I 

Developing an Action 
Plan with Clear 
Milestones and Metrics 

■ 

Ensuring there are 
Processes for 
Reporting Progress 

I 

Making Plans Accessible 
and Transparent to Other 
Agencies, Congress, 
and the Public 



MONITORING 

ACTIONS 


Ensuring Data 
Quality/Adequacy or 
Using Third-Party 
Assessments and 
Validation 
■ 

Holding Frequent 
Review Meetings to 
Assess Status and 
Performance 

■ 

Reporting to Senior 
Managers on Program 
Progress and 
Potential Risks 

■ 

Tracking Performance 
Measures and Progress 
Against Goals 



Resolving the 
high-risk area 


DEMONSTRATED 

PROGRESS 

ACTIONS 


Implementing 

Recommendations 

■ 

Using Data to Show 
Action on Plan 
Implementation 

I 

Showing High-Risk 
Issues are Being 
Effectively Managed 
and Root 
Causes are Being 
Addressed 
■ 

Taking Actions to 
Ensure Progress 
(or Improvements) 
are Sustained 


Source: GAO-16-480R. | GA0-18-645T 
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As we reported in the February 2017 high-risk report,^'' the federal 
government’s efforts to address information security deficiencies had fully 
met one of the five criteria for removal from the High-Risk List— 
leadership commitment—and partially met the other four, as shown in 
figure 3. We plan to update our assessment of this high-risk area against 
the five criteria in February 2019. 


Figure 3: Status of High-Risk Area for Ensuring the Security of Federai Information 
Systems and Cyber Criticai Infrastructure and Protecting the Privacy of Personaiiy 
identifiabie Information, as of February 2017 


LEADERSHIP 



CAPACITY 


DEMONSTRATED 

PROGRESS 


One criterion has been met. 


Source; GAO analysis. | GAO-18-645T 

Note: Each point of the star represents one of the five criteria for removal from the High-Risk List and 
each ring represents one of the three designations: not met, partially met, or met. An unshaded point 
at the innermost ring means that the criterion has not been met, a partially shaded point at the middle 
ring means that the criterion has been partially met, and a fully shaded point at the outermost ring 
means that the criterion has been met. 


2^GA0-17-317. 
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Ten Critical Actions 
Needed to Address 
Major Cybersecurity 
Challenges 


Based on our prior work, we have identified four major cybersecurity 
challenges: (1) establishing a comprehensive cybersecurity strategy and 
performing effective oversight, (2) securing federal systems and 
information, (3) protecting cyber critical infrastructure, and (4) protecting 
privacy and sensitive data. To address these challenges, we have 
identified 10 critical actions that the federal government and other entities 
need to take (see figure 4). The four challenges and the 10 actions 
needed to address them are summarized following the table. 
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Figure 4: Ten Critical Actions Needed to Address Four Major Cybersecurity Challenges 


Major challenges 



Establishing a comprehensive 
cybersecurity strategy and 
performing effective oversight 



Securing federal systems 
and information 

L 

Protecting cyber 
critical infrastructure 

ir 

Protecting privacy and 
sensitive data 

n 


Critical actions needed 



Develop and execute a more comprehensive federal strategy for 
national cybersecurity and global cyberspace. 


Mitigate global supply chain risks (e.g., installation of malicious 
software or hardware). 



Address cybersecurity workforce management challenges. 




Ensure the security of emerging technologies 
(e.g., artificial intelligence and Internet of Things). 


Improve implementation of government-wide 
cybersecurity initiatives. 


Address weaknesses in federal agency information 
security programs. 



Enhance the federal response to cyber incidents. 



Strengthen the federal role in protecting the cybersecurity of critical 
infrastructure (e.g., electricity grid and telecommunications networks). 



Improve federal efforts to protect privacy and 
sensitive data. 


Appropriately limit the collection and use of personal information and 
ensure that it is obtained with appropriate knowledge or consent. 


Source; GAO analysis. | GAO-18-645T 
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Establishing a 
Comprehensive 
Cybersecurity Strategy 
and Performing Effective 
Oversight 


The federal government has been challenged in establishing a 
comprehensive cybersecurity strategy and in performing effective 
oversight as called for by federal law and policy.Specifically, we have 
previously reported that the federal government has faced challenges in 
establishing a comprehensive strategy to provide a framework for how the 
United States will engage both domestically and internationally on 
cybersecurity related matters.We have also reported on challenges in 
performing oversight, including monitoring the global supply chain, 
ensuring a highly skilled cyber workforce, and addressing risks 
associated with emerging technologies. The federal government can take 
four key actions to improve the nation’s strategic approach to, and 
oversight of, cybersecurity. 


• Develop and execute a more comprehensive federal strategy for 
national cybersecurity and global cyberspace. In February 2013 
we reported that the government had issued a variety of strategy- 
related documents that addressed priorities for enhancing 
cybersecurity within the federal government as well as for 
encouraging improvements in the cybersecurity of critical 
infrastructure within the private sector; however, no overarching 
cybersecurity strategy had been developed that articulated priority 
actions, assigned responsibilities for performing them, and set 
timeframes for their completion.Accordingly, we recommended that 
the White House Cybersecurity Coordinator^^ in the Executive Office 
of the President develop an overarching federal cybersecurity strategy 
that included all key elements of the desirable characteristics of a 


^^This includes the Federal Information Security Modernization Act of 2014, Revision of 
the Office of Management and Budget’s Circular No. A-130, “Managing Information as a 
Strategic Resource" and Presidential Executive Order on Strengthening the Cybersecurity 
of Federal Networks and Critical Infrastructure. 

^^GAO, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better 
Defined and More Effectively Implemented, GAO-13-187 (Washington, D.C.: Feb. 14, 
2013). 

2'^GA0-13-187. 

^^In December 2009, a Special Assistant to the President was appointed as Cybersecurity 
Coordinator to address the recommendations made in the Cyberspace Policy Review, 
including coordinating interagency cybersecurity policies and strategies and developing a 
comprehensive national strategy to secure the nation’s digital infrastructure. 
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national strategy^® including, among other things, milestones and 
performance measures for major activities to address stated priorities; 
cost and resources needed to accomplish stated priorities; and 
specific roles and responsibilities of federal organizations related to 
the strategy’s stated priorities. 


In response to our recommendation, in October 2015, the Director of 
0MB and the Federal Chief Information Officer, issued a 
Cybersecurity Strategy and Implementation Plan for the Federal 
Civilian Government. The plan directed a series of actions to 
improve capabilities for identifying and detecting vulnerabilities and 
threats, enhance protections of government assets and information, 
and further develop robust response and recovery capabilities to 
ensure readiness and resilience when incidents inevitably occur. The 
plan also identified key milestones for major activities, resources 
needed to accomplish milestones, and specific roles and 
responsibilities of federal organizations related to the strategy’s 
milestones. 

Since that time, the executive branch has made progress toward 
outlining a federal strategy for confronting cyber threats. Table 1 
identifies these recent efforts and a description of their related 
contents. 


^®ln 2004, we developed a set of desirable characteristics that can enhance the 
usefulness of national strategies in allocating resources, defining policies, and helping to 
ensure accountability. (GAO, Combating Terrorism: Evaiuation ofSeiected Characteristics 
in Nationai Strategies Reiated to Terrorism, GAO-04-408T (Washington, D.C.: Feb. 3, 
2004). 

^^OMB, Cybersecurity Strategy and Imptementation Pian for the Federai Civitian 
Government, M-16-04 (Washington, D.C.: Oct. 30, 2015). 
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Table 1: Recent Executive Branch Initiatives That Identify Cybersecurity Priorities for the Federal Government 

Executive branch initiative 

Date of issuance 

Description 

Executive Order 13800: 
Strengthening the 
Cybersecurity of Federal 
Networks and Critical 
Infrastructure 

May 2017 

The Executive Order required federal agencies to take a variety of actions, 
including to better manage their cybersecurity risks and coordinate to meet 
reporting requirements related to the cybersecurity of federal networks, critical 
infrastructure, and the nation.® As of July 2018, the executive branch had publicly 
released several reports, including a high-level assessment by the Office of 
Management and Budget (OMB) of the cybersecurity risk management 
capabilities of the federal government.The assessment stated that OMB and the 
Department of Homeland Security (DHS) examined the capabilities of 96 civilian 
agencies across 76 cybersecurity metrics and found that 71 agencies had 
cybersecurity programs that were either at risk or high risk.® The report also stated 
agencies were not equipped to determine how malicious actors seek to gain 
access to their information systems and data. The report identified core actions to 
address cybersecurity risks across the federal enterprise. 

National Security Strategy 

December 2017 

The National Security Strategy® identified four vital national interests: protecting 
the homeland, the American people, and American way of life; promoting 

American prosperity; preserving peace through strength; and advance American 
influence. The strategy also cites cybersecurity as a national priority and identifies 
related needed actions, including identifying and prioritizing risk, building 
defensible government networks, determining and disrupting malicious cyber 
actors, improving information sharing and deploying layered defenses. 

DHS Cybersecurity Strategy 

May 2018 

The DHS Cybersecurity Strategy® articulated seven goals the department plans to 
accomplish in support of its mission related to managing national cybersecurity 
risks. The goals were spread across five pillars that correspond to DHS-wide risk 
management, including risk identification, vulnerability reduction, threat reduction, 
consequence mitigation, and enabling cybersecurity outcomes. The strategy is 
intended to provide DHS with a framework to execute its cybersecurity 
responsibilities during the next 5 years to keep pace with the evolving cyber risk 
landscape by reducing vulnerabilities and building resilience; countering malicious 
actors in cyberspace; responding to incidents; and making the cyber ecosystem 
more secure and resilient. 


Source: GAO analysis of agency documents. | GAO-18-645T 


^Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical 
Infrastructure. Executive Order 13800 (Washington, D.C.: May 11,2017). 

‘’OMB, Federal Cybersecurity Risk Determination Report and Action Plan, (Washington, D.C.: May 
2018). 

‘'OMB and DHS designated agencies as "at risk” if agencies had some essential policies, processes, 
and tools in place to mitigate overall cybersecurity risks. OMB and DHS designated agencies as "high 
risk" if agencies did not have essential policies, processes, and tools in place to mitigate overall 
cybersecurity risks. 

‘'The President of the United States, National Security Strategy of the United States of America, 
(Washington, D.C.: Dec. 2017). 

“DHS, U.S. Department of Homeland Security Cybersecurity Strategy, (Washington, D.C.: May 2018). 


These efforts provide a good foundation toward establishing a more 
comprehensive strategy, but more effort is needed to address all of 
the desirable characteristics of a national strategy that we 
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recommended. The recently issued executive branch strategy 
documents did not include key elements of desirable characteristics 
that can enhance the usefulness of a national strategy as guidance for 
decision makers in allocating resources, defining policies, and helping 
to ensure accountability. Specifically: 

• Milestones and performance measures to gauge results were 
generally not included in strategy documents. For example, 
although the DHS Cybersecurity Strategy stated that its 
implementation would be assessed on an annual basis, it did not 
describe the milestones and performance measures for tracking 
the effectiveness of the activities intended to meet the stated 
goals (e.g., protecting critical infrastructure and responding 
effectively to cyber incidents). Without such performance 
measures, DHS will lack a means to ensure that the goals and 
objectives discussed in the document are accomplished and that 
responsible parties are held accountable. 

According to officials from DHS’s Office of Cybersecurity and 
Communications, the department is developing a plan for 
implementing the DHS Cybersecurity Strategy and expects to 
issue the plan by mid-August 2018. The officials stated that the 
plan is expected to identify milestones, roles, and responsibilities 
across DHS to inform the prioritization of future efforts. 

• The strategy documents generally did not include information 
regarding the resources needed to carry out the goals and 
objectives. For example, although the DHS Cybersecurity Strategy 
identified a variety of actions the agency planned to take to 
perform their cybersecurity mission, it did not articulate the 
resources needed to carry out these actions and requirements. 
Without information on the specific resources needed, federal 
agencies may not be positioned to allocate such resources and 
investments and, therefore, may be hindered in their ability to 
meet national priorities. 

• Most of the strategy documents lacked clearly defined roles and 
responsibilities for key agencies, such as DHS, DOD, and 0MB. 
These agencies contribute substantially to the nation’s 
cybersecurity programs. For example, although the National 
Security Strategy discusses multiple priority actions needed to 
address the nation’s cybersecurity challenges (e.g. building 
defensible government networks and deterring and disrupting 
malicious cyber actors), it does not describe the roles, 
responsibilities, or the expected coordination of any specific 
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federal agencies, including DHS, DOD, or 0MB, or other non- 
federal entities needed to carry out those actions. Without this 
information, the federal government may not be able to foster 
effective coordination, particularly where there is overlap in 
responsibilities, or hold agencies accountable for carrying out 
planned activities. 

Ultimately, a more clearly defined, coordinated, and comprehensive 
approach to planning and executing an overall strategy would likely 
lead to significant progress in furthering strategic goals and lessening 
persistent weaknesses. 

• Mitigate giobai suppiy chain risks. The global, geographically 
disperse nature of the producers and suppliers of IT products is a 
growing concern. We have previously reported on potential issues 
associated with IT supply chain and risks originating from foreign- 
manufactured equipment. For example, in July 2017, we reported that 
the Department of State had relied on certain device manufacturers, 
software developers, and contractor support which had suppliers that 
were reported to be headquartered in a cyber-threat nation (e.g., 
China and Russia).^® We further pointed out that the reliance on 
complex, global IT supply chains introduces multiple risks to federal 
agencies, including insertion of counterfeits, tampering, or installation 
of malicious software or hardware. 

Earlier this month, we testified that if such global IT supply chain risks 
are realized, they could jeopardize the confidentiality, integrity, and 
availability of federal information systems.^® Thus, the potential exists 
for serious adverse impact on an agency’s operations, assets, and 
employees. These factors highlight the importance and urgency of 
federal agencies appropriately assessing, managing, and monitoring 
IT supply chain risk as part of their agencywide information security 
programs. 

• Address cybersecurity workforce management challenges. The 

federal government faces challenges in ensuring that the nation’s 
cybersecurity workforce has the appropriate skills. For example, in 
June 2018, we reported on federal efforts to implement the 


^®GAO, state Department Telecommunications: Information on Vendors and Cyber-Threat 
Nations, GAO-17-688R (Washington, D.C.: July 27, 2017). 

nq 

GAO, Information Security: Supply Chain Risks Affecting Federal Agencies, 
GAO-18-667T (Washington, D.C.: July 12, 2018). 
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requirements of the Federal Cybersecurity Workforce Assessment Act 
of 2015.^° We determined that most of the Chief Financial Officers 
(CFO) Act^'' agencies had not fully implemented all statutory 
requirements, such as developing procedures for assigning codes to 
cybersecurity positions. Further, we have previously reported that 
DHS and DOD had not addressed cybersecurity workforce 
management requirements set forth in federal laws.^^ In addition, we 
have reported in the last 2 years that federal agencies (1) had not 
identified and closed cybersecurity skills gaps,^^ (2) had been 
challenged with recruiting and retaining qualified staff,and (3) had 
difficulty navigating the federal hiring process.^® 

A recent executive branch report also discussed challenges 
associated with the cybersecurity workforce. Specifically, in response 
to Executive Order 13800, the Department of Commerce and DHS led 
an interagency working group exploring how to support the growth 
and sustainment of future cybersecurity employees in the public and 


OA 

GAO, Cybersecurity Workforce: Agencies Need to improve Baseiine Assessments and 
Procedures for Coding positions, GAO-18-466 (Washington, D.C.: June 14, 2018). The 
Federal Cybersecurity Workforce Assessment Act of 2015 was enacted as part of the 
Consolidated Appropriations Act, 2016, Pub. L. No. 114-113, Div. N, Title III, 129 Stat. 
2242, 2975-77 (Dec. 18, 2015). 

^^There are 24 agencies identified in the Chief Financial Officers Act: the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Flealth and Human Services, 
Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, 
Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency; 
General Services Administration; National Aeronautics and Space Administration; National 
Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; 
Small Business Administration; Social Security Administration; and the U.S. Agency for 
International Development. 

on 

GAO, Cybersecurity Workforce: Urgent Need for DHS to Take Actions to identify its 
Position and Criticai Skiii Requirements, GAO-18-175 (Washington, D.C.: Feb. 6, 2018); 
and Defense Civii Support: DOD Needs to Address Cyber incident Training 
Requirements, GAO-18-47 (Washington, D.C.: Nov. 30, 2017). 

oo 

GAO, tT Workforce: Key Practices Heip Ensure Strong integrated Program Teams; 
Seiected Departments Need to Assess Skiii Gaps, GAO-17-8 (Washington, D.C.: Nov. 30, 
2016). 

^^GAO, Federai Chief information Security Officers: Opportunities Exist to improve Roies 
and Address Chaiienges to Authority, GAO-16-686 (Washington, D.C.: Aug. 26, 2016). 

^^GAO, Federai Hiring: OPM Needs to improve Management and Oversight of Hiring 
Authorities, GAO-16-521 (Washington, D.C.: Aug. 2, 2016). 
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private sectors. In May 2018, the departments issued a report^® that 
identified key findings, including: 

• the U.S. cybersecurity workforce needs immediate and sustained 
improvements; 

• the pool of cybersecurity candidates needs to be expanded 
through retraining and by increasing the participation of women, 
minorities, and veterans; 

• a shortage exists of cybersecurity teachers at the primary and 
secondary levels, faculty in higher education, and training 
instructors; and 

• comprehensive and reliable data about cybersecurity workforce 
position needs and education and training programs are lacking. 

The report also included recommendations and proposed actions to 
address the findings, including that private and public sectors should 
(1) align education and training with employers’ cybersecurity 
workforce needs by applying the National Initiative for Cybersecurity 
Education Cybersecurity Workforce Framework; (2) develop 
cybersecurity career model paths; and (3) establish a clearinghouse 
of information on cybersecurity workforce development education, 
training, and workforce development programs and initiatives. 

In addition, in June 2018, the executive branch issued a government 
reform plan and reorganization recommendations that included, 
among other things, proposals for solving the federal cybersecurity 
workforce shortage.®^ In particular, the plan notes that the 
administration intends to prioritize and accelerate ongoing efforts to 
reform the way that the federal government recruits, evaluates, 
selects, pays, and places cyber talent across the enterprise. The plan 
further states that, by the end of the first quarter of fiscal year 2019, all 
CFO Act agencies, in coordination with DHS and 0MB, are to develop 
a critical list of vacancies across their organizations. Subsequently, 
0MB and DHS are to analyze these lists and work with 0PM to 


®®The Secretaries of Commerce and Homeland Security, A Report to the President on 
Supporting the Growth and Sustainment of the Nation’s Cybersecurity Workforce: Buiiding 
the Foundation fora More Secure American Future, (Washington, D.C.: May 2018). 

®^Executive Office of the President of the United States, Deiivering Government Soiutions 
in the 21st Century: Reform Pian and Reorganization Recommendations (Washington, 
D.C.: June 2018). 
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develop a government-wide approach to identifying or recruiting new 
employees or reskilling existing employees. Regarding cybersecurity 
training, the plan notes that 0MB is to consult with DHS to 
standardize training for cybersecurity employees, and should work to 
develop an enterprise-wide training process for government 
cybersecurity employees. 

• Ensure the security of emerging technoiogies. As the devices 
used in daily life become increasingly integrated with technology, the 
risk to sensitive data and PI I also grows. Over the last several years, 
we have reported on weaknesses in addressing vulnerabilities 
associated with emerging technologies, including: 

• loT devices, such as fitness trackers, cameras, and thermostats, 
that continuously collect and process information are potentially 
vulnerable to cyber-attacks;^® 

• loT devices, such as those acquired and used by DOD employees 
or that DOD itself acquires (e.g., smartphones), may increase the 
security risks to the department;®® 

• vehicles that are potentially susceptible to cyber-attack through 
technology, such as Bluetooth;'^® 

• the unknown impact of artificial intelligence cybersecurity; and"^^ 

• advances in cryptocurrencies and blockchain technologies."^^ 

Executive branch agencies have also highlighted the challenges 
associated with ensuring the security of emerging technologies. 
Specifically, in a May 2018 report issued in response to Executive 
Order 13800, the Department of Commerce and DHS issued a report 


oo 

GAO, Technology Assessment: Internet of Things: Status and Implications of an 
Increasingly Connected World, GAO-17-75 (Washington, D.C.: May 15, 2017). 

®®GAO, Internet of Things: Enhanced Assessments and Guidance Are Needed to Address 
Security Risks in DOD, GAO-17-668 (Washington, D.C.: July 27, 2017). 

"^^GAO, Vehicle Cybersecurity: DOT and Industry Have Efforts Under Way, but DOT 
Needs to Define Its Role in Responding to a Real-world Attack, GAO-16-350 (Washington, 
D.C.: Apr. 25, 2016). 

"^^GAO, Technology Assessment: Artificial Intelligence, Emerging Opportunities, 
Challenges, and Implications, GAO-18-142SP (Washington, D.C.: Mar. 28, 2018). 

"^^GAO, GAO Strategic Plan 2018-2023: Trends Affecting Government and Society, 
GAO-18-396SP (Washington, D.C.: Feb. 22, 2018). 
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on the opportunities and challenges in reducing the botnet threat. 

The opportunities and challenges are centered on six principal 
themes, including the global nature of automated, distributed attacks; 
effective tools; and awareness and education. The report also 
provides recommended actions, including that federal agencies 
should increase their understanding of what software components 
have been incorporated into acquired products and establish a public 
campaign to support awareness of loT security. 

In our previously discussed reports related to this cybersecurity 
challenge, we made a total of 50 recommendations to federal agencies to 
address the weaknesses identified. As of July 2018, 48 recommendations 
had not been implemented. These outstanding recommendations include 
8 priority recommendations, meaning that we believe that they warrant 
priority attention from heads of key departments and agencies. These 
priority recommendations include addressing weaknesses associated 
with, among other things, agency-specific cybersecurity workforce 
challenges and agency responsibilities for supporting mitigation of vehicle 
network attacks. Until our recommendations are fully implemented, 
federal agencies may be limited in their ability to provide effective 
oversight of critical government-wide initiatives, address challenges with 
cybersecurity workforce management, and better ensure the security of 
emerging technologies. 

In addition to our prior work related to the federal government’s efforts to 
establish key strategy documents and implement effective oversight, we 
also have several ongoing reviews related to this challenge. These 
include reviews of: 

• the CFO Act agencies’ efforts to submit complete and reliable 
baseline assessment reports of their cybersecurity workforces; 

• the extent to which DOD has established training standards for cyber 
mission force personnel, and efforts the department has made to 
achieve its goal of a trained cyber mission force; 

• selected agencies’ ability to implement cloud service technologies and 
notable benefits this might have on agencies; and 


^^The Secretaries of Commerce and Homeland Security, A Report to the President on 
Enhancing the Resiiience of the Internet and Communications Ecosystem Against Botnets 
and Other Automated, Distributed Threats, (Washington, D.C.: May 22, 2018). 
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• the federal approach and strategy to securing agency information 
systems, to include federal intrusion detection and prevention 
capabilities and the intrusion assessment plan. 


S6CUring F6d6ral Systains The federal government has been challenged in securing federal systems 
and Information information. Specifically, we have reported that federal agencies 

have experienced challenges in implementing government-wide 
cybersecurity initiatives, addressing weaknesses in their information 
systems and responding to cyber incidents on their systems. This is 
particularly concerning given that the emergence of increasingly 
sophisticated threats and continuous reporting of cyber incidents 
underscores the continuing and urgent need for effective information 
security. As such, it is important that federal agencies take appropriate 
steps to better ensure they have effectively implemented programs to 
protect their information and systems. We have identified three actions 
that the agencies can take. 

• Improve implementation of government-wide cybersecurity 
initiatives. Specifically, in January 2016, we reported that DHS had 
not ensured that the National Cybersecurity Protection System 
(NCPS) had fully satisfied all intended system objectives related to 
intrusion detection and prevention, information sharing, and 
analytics.In addition, in February 2017, we reported"*® that the DHS 
National Cybersecurity and Communications Integration Center’s 
(NCCIC)"*® functions were not being performed in adherence with the 


"*"*GAO, Information Security: DHS Needs to Enhance Capabilities, Improve Planning, and 
Support Greater Adoption of Its National Cybersecurity Protection System, GAO-16-294 
(Washington, D.C.: Jan. 28, 2016). NCPS is intended to provide DHS with capabilities to 
detect malicious traffic traversing federal agencies’ computer networks, prevent intrusions, 
and support data analytics and information sharing. 

"^^GAO, Cybersecurity: DHS’s National Integration Center Generally Performs Required 
Functions but Needs to Evaluate Its Activities More Completely, GAO-17-163 
(Washington, D.C.: Feb. 1,2017). 

^®DHS established the NCCIC as to serve as the 24/7 cyber monitoring, incident 
response, and management center. The center provides a central place for the various 
federal and private-sector organizations to coordinate efforts to address and respond to 
cyber threats. 
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principles set forth in federal laws/^ We noted that, although NCCIC 
was sharing information about cyber threats in the way it should, the 
center did not have metrics to measure that the information was 
timely, relevant and actionable, as prescribed by law. 

• Address weaknesses in federal information security programs. 

We have previously identified a number of weaknesses in agencies’ 
protection of their information and information systems. For example, 
over the past 2 years, we have reported that: 

• most of the 24 agencies covered by the CFO Act had weaknesses 
in each of the five major categories of information system controls 
(i.e., access controls, configuration management controls, 
segregation of duties, contingency planning, and agency-wide 
security management);"^® 

• three agencies—the Securities Exchange Commission, the 
Federal Deposit Insurance Corporation, and the Food and Drug 
Administration—had not effectively implemented aspects of their 
information security programs, which resulted in weaknesses in 
these agencies’ security controls;'^® 

• information security weaknesses in selected high-impact systems 
at four agencies—the National Aeronautics and Space 
Administration, the Nuclear Regulatory Commission, 0PM, and 
the Department of Veterans Affairs—were cited as a key reason 
that the agencies had not effectively implemented elements of 
their information security programs;®® 


^^The National Cybersecurity Protection Act of 2014 and Cybersecurity Act of 2015 
require NCCIC to carry out 11 cybersecurity functions, to the extent practicable, in 
accordance with nine principles. Pub. L. No. 113-282, Dec. 18, 2014. The Cybersecurity 
Act of 2015 was enacted as Division N of the Consolidated Appropriations Act, 2016, Pub. 
L No. 114-113, Dec. 18, 2015. 

"^®GAO, Federal Information Security: Weaknesses Continue to Indicate Need for Effective 
Implementation of Policies and Practices, GAO-17-549 (Washington, D.C.: Sept. 28, 
2017). 

"*®GAO, Information Security: SEC Improved Control of Financial Systems but Needs to 
Take Additional Actions, GAO-17-469 (Washington, D.C.: July 27, 2017); Information 
Security: FDIC Needs to Improve Controls over Financial Systems and Information, 
GAO-17-436 (Washington, D.C.: May 31,2017); and Information Security: FDA Needs to 
Rectify Control Weaknesses That Place Industry and Public Health Data at Risk, 
GAO-16-513 (Washington, D.C.: Aug. 30, 2016). 

®®GAO, Information Security: Agencies Need to Improve Controls over Selected High- 
Impact Systems, GAO-16-501 (Washington, D.C.: May 18, 2016). 
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• DOD’s process for monitoring the implementation of cybersecurity 
guidance had weaknesses and resulted in the closure of certain 
tasks (such as completing cyber risk assessments) before they 
were fully implemented;^'' and 

• agencies had not fully defined the role of their Chief Information 
Security Officers, as required by FISMA.^^ 

We also recently testified that, although the government had acted to 
protect federal information systems, additional work was needed to 
improve agency security programs and cyber capabilities. “In 
particular, we noted that further efforts were needed by agencies to 
implement our prior recommendations in order to strengthen their 
information security programs and technical controls over their 
computer networks and systems. 

• Enhance the federal response to cyber incidents. We have 

reported that certain agencies have had weaknesses in responding to 
cyber incidents. For example, 

• as of August 2017, 0PM had not fully implemented controls to 
address deficiencies identified as a result of its 2015 cyber 
incidents;^ 

• DOD had not identified the National Guard’s cyber capabilities 
(e.g., computer network defense teams) or addressed challenges 
in its exercises.“ 

• as of April 2016, DOD had not identified, clarified, or implemented 
all components of its support of civil authorities during cyber 
incidents;®® and 


®^G/40, Defense Cybersecurity: DOD's Monitoring of Progress in Impiementing Cyber 
Strategies Can Be Strengthened, GAO-17-512 (Washington, D.C.: Aug. 1,2017). 

®^GAO, Federat Chief Information Security Officers: Opportunities Exist to Improve Roles 
and Address Challenges to Authority, GAO-16-686 (Washington, D.C.: Aug. 26, 2016). 

®®GAO, Information Technology: Continued Implementation of High-Risk 
Recommendations Is Needed to Better Manage Acquisitions, Operations, and 
Cybersecurity, GAO-18-566T (Washington, D.C.: May 23, 2018). 

®^GAO, Information Security: OPM Has Improved Controls, but Further Efforts Are 
Needed, GAO-17-614 (Washington, D.C.: Aug. 3, 2017). 

®®GAO, Defense Civil Support: DOD Needs to Identify National Guard’s Cyber Capabilities 
and Address Challenges in Its Exercises, GAO-16-574 (Washington, D.C.: Sept. 6, 2016). 
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• as of January 2016, DHS’s NCPS had limited capabilities for 
detecting and preventing intrusions, conducting analytics, and 
sharing information.®^ 

In the public versions of the reports previously discussed for this 
challenge area, we made a total of 101 recommendations to federal 
agencies to address the weaknesses identified.®® As of July 2018, 61 
recommendations had not been implemented. These outstanding 
recommendations include 14 priority recommendations to address 
weaknesses associated with, among other things, the information security 
programs at the National Aeronautics and Space Administration, 0PM, 
and the Security Exchange Commission. Until these recommendations 
are implemented, these federal agencies will be limited in their ability to 
ensure the effectiveness of their programs for protecting information and 
systems. 

In addition to our prior work, we also have several ongoing reviews 
related to the federal government’s efforts to protect its information and 
systems. These include reviews of: 

• Federal Risk and Authorization Management Program (FedRAMP)®® 
implementation, including an assessment of the implementation of the 
program’s authorization process for protecting federal data in cloud 
environments; 

• the Equifax data breach, including an assessment of federal oversight 
of credit reporting agencies’ collection, use, and protection of 
consumer Pll; 


®®GAO, Civil Support: DOD Needs to Clarify Its Roles and Responsibilities for Defense 
Support of Civil Authorities during Cyber Incidents, GAO-16-332 (Washington, D.C.: Apr. 

4, 2016). 

®^GAO-16-294. 

®®GAO often issues two versions of its audit reports on the security of federal systems and 
information. One version is publicly available, and one version is not available to the public 
because of the sensitive security information it contains. GAO has made hundreds of 
recommendations to agencies to rectify technical security control deficiencies identified in 
these non-publicly available reports. 

®®ln December 2011, OMB established FEDRAMP—a government-wide program 
intended to provide a standardized approach to security assessment, authorization, and 
continuous monitoring for cloud computing products and services. 
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• the Federal Communication Commission’s Electronic Comment Filing 
System security, to include a review of the agency’s detection of and 
response to a May 2017 incident that reportedly impacted the system; 

• DOD’s efforts to improve the cybersecurity of its major weapon 
systems; 

• DOD’s whistleblower program, including an assessment of the 
policies, procedures, and controls related to the access and storage of 
sensitive and classified information needed for the program; 

• IRS’s efforts to (1) implement security controls and the agency’s 
information security program, (2) authenticate taxpayers, and (3) 
secure tax information; and 

• federal intrusion detection and prevention capabilities. 


Prot6Cting Cyb6r Critical The federal government has been challenged in working with the private 
Infrastructure sector to protect critical infrastructure. This infrastructure includes both 

public and private systems vital to national security and other efforts, such 
as providing the essential services that underpin American society. As the 
cybersecurity threat to these systems continues to grow, federal agencies 
have millions of sensitive records that must be protected. Specifically, this 
critical infrastructure threat could have national security implications and 
more efforts should be made to ensure that it is not breached. 

To help address this issue, NIST developed the cybersecurity 
framework—a voluntary set of cybersecurity standards and procedures 
for industry to adopt as a means of taking a risk-based approach to 
managing cybersecurity. 

However, additional action is needed to strengthen the federal role in 
protecting the critical infrastructure. Specifically, we have reported on 
other critical infrastructure protection issues that need to be addressed. 
For example: 

• Entities within the 16 critical infrastructure sectors reported 
encountering four challenges to adopting the cybersecurity 
framework, such as being limited in their ability to commit necessary 


National Institute of Standards and Technology, Framework for Improving Critical 
Infrastructure Cydersecur/fy (Gaithersburg, MD: Feb. 12, 2014). The cybersecurity 
framework was updated on April 16, 2018. 


Page 27 


GAO-18-645T 




resources towards framework adoption and not having the necessary 
knowledge and skills to effectively implement the framework.®'' 

• Major challenges existed to securing the electricity grid against cyber 
threats.®^ These challenges included monitoring implementation of 
cybersecurity standards, ensuring security features are built into smart 
grid systems, and establishing metrics for cybersecurity. 

• DHS and other agencies needed to enhance cybersecurity in the 
maritime environment. Specifically, DHS did not include cyber risks in 
its risk assessments that were already in place nor did it address 
cyber risks in guidance for port security plans.®® 

• Sector-specific agencies®'' were not properly addressing progress or 
metrics to measure their progress in cybersecurity.®® 

• DOD and the Federal Aviation Administration identified a variety of 
operations and physical security risks that could adversely affect DOD 
missions.®® 

We made a total of 19 recommendations to federal agencies to address 
these weaknesses and others. These recommendations include, for 
example, a total of 9 recommendations to 9 sector-specific agencies to 
develop methods to determine the level and type of cybersecurity 
framework adoption across their respective sectors.®^ As of July 2018, all 


®^GAO, Critical Infrastructure Protection: Additional Actions are Essential for Assessing 
Cybersecurity Framework Adoption, GAO-18-211 (Washington, D.C.: Feb. 15, 2018). 

®^GAO, Critical Infrastructure Protection: Cybersecurity of the Nation's Electricity Grid 
Requires Continued Attention, GAO-16-174T (Washington, D.C.: Oct. 21,2015). 

®®GAO, Maritime Critical Infrastructure Protection: DHS Needs to Enhance Efforts to 
Address Port Cybersecurity, GAO-16-116T (Washington, D.C.: Oct. 8, 2015). 

®''Sector-specific agencies are federal departments or agencies with responsibility for 
providing institutional knowledge and specialized expertise. They accomplish this by 
leading, facilitating, or supporting the security and resilience programs and associated 
activities of its designated critical infrastructure sector in the environment. 

®®GAO, Critical Infrastructure Protection: Sector-Specific Agencies Need to Better 
Measure Cybersecurity Progress, GAO-16-79 (Washington, D.C.: Nov. 19, 2015). The 
government facilities sector was excluded from the scope of this review due to its uniquely 
governmental focus. 

®®GAO, Homeland Defense: Urgent Need for DOD and FAA to Address Risks and 
Improve Planning for Technology That Tracks Military Aircraft, GAO-18-177 (Washington, 
D.C.: Jan. 18, 2018). 

®^GAO-18-211. 
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19 recommendations had not been implemented. Until these 
recommendations are implemented, the federal government will continue 
to be challenged in fulfilling its role in protecting the nation’s critical 
infrastructure. 

In addition to our prior work related to the federal government’s efforts to 
protect critical infrastructure, we also have several ongoing reviews 
focusing on: 

• the physical and cybersecurity risks to pipelines across the country 
responsible for transmitting oil, natural gas, and other hazardous 
liquids; 

• the cybersecurity risks to the electric grid; and 

• the privatization of utilities at DOD installations. 


Prot6Cting Privacy and The federal government has been challenged in protecting privacy and 

Sensitive Data sensitive data. Advances in technology, including powerful search 

technology and data analytics software, have made it easy to correlate 
information about individuals across large and numerous databases, 
which have become very inexpensive to maintain. In addition, ubiquitous 
Internet connectivity has facilitated sophisticated tracking of individuals 
and their activities through mobile devices such as smartphones and 
fitness trackers. 

Given that access to data is so pervasive, personal privacy hinges on 
ensuring that databases of PM maintained by government agencies or on 
their behalf are protected both from inappropriate access (i.e., data 
breaches) as well as inappropriate use (i.e., for purposes not originally 
specified when the information was collected). Likewise, the trend in the 
private sector of collecting extensive and detailed information about 
individuals needs appropriate limits. The vast number of individuals 
potentially affected by data breaches at federal agencies and private 
sector entities in recent years increases concerns that Pll is not being 
properly protected. 

Federal agencies should take two types of actions to address this 
challenge area. In addition, we have previously proposed two matters for 
congressional consideration aimed toward better protecting Pll. 

• Improve federal efforts to protect privacy and sensitive data. We 

have issued several reports noting that agencies had deficiencies in 
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protecting privacy and sensitive data that needed to be addressed. 

For example: 

• The Department of Health and Human Services’ (HHS) Centers 
for Medicare and Medicaid Services (CMS) and external entities 
were at risk of compromising Medicare Beneficiary Data due to a 
lack of guidance and proper oversight.®® 

• The Department of Education’s Office of Federal Student Aid had 
not properly overseen its school partners’ records or information 
security programs.®® 

• HHS had not fully addressed key security elements in its guidance 
for protecting the security and privacy of electronic health 
information.^® 

• CMS had not fully protected the privacy of users’ data on state- 
based marketplaces.^^ 

• Poor planning and ineffective monitoring had resulted in the 
unsuccessful implementation of government initiatives aimed at 
eliminating the unnecessary collection, use, and display of 

SSNs.^2 

• Appropriately limit the collection and use of personal information 
and ensure that it is obtained with appropriate knowledge or 
consent. We have issued a series of reports that highlight a number 
of the key concerns in this area. For example: 

• The emergence of loT devices can facilitate the collection of 
information about individuals without their knowledge or consent;^® 


®®GAO, Electronic Health Information: CMS Oversight of Medicare Beneficiary Data 
Security Needs Improvement, GAO-18-210 (Washington, D.C.: Mar. 6, 2018). 

®®GAO, Federal Student Aid: Better Program Management and Oversight of 
Postsecondary Schools Needed to Protect Student Information, GAO-18-121 
(Washington, D.C.: Dec. 15, 2017). 

^®GAO, Electronic Health Information: HHS Needs to Strengthen Security and Privacy 
Guidance and Oversight, GAO-16-771 (Washington, D.C.: Aug. 26, 2016). 

^^GAO, Healthcare.gov: Actions Needed to Enhance Information Security and Privacy 
Controls, GAO-16-265 (Washington, D.C.: Mar. 23, 2016). 

^^GAO, Social Security Numbers: OMB Actions Needed to Strengthen Federal Efforts to 
Limit Identity Theft Risks by Reducing Collection, Use, and Display, GAO-17-553 
(Washington, D.C.: July 25, 2017). 

^®GAO-17-75. 
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• Federal laws for smartphone tracking applications have not 
generally been well enforced. 

• The FBI has not fully ensured privacy and accuracy related to the 
use efface recognition technology.^® 

We have previously suggested that Congress consider amending laws, 
such as the Privacy Act of 1974^® and the E-Government Act of 2002,^^ 
because they may not consistently protect Pll.^® Specifically, we found 
that while these laws and guidance set minimum requirements for 
agencies, they may not consistently protect Pll in all circumstances of its 
collection and use throughout the federal government and may not fully 
adhere to key privacy principles. However, revisions to the Privacy Act 
and the E-Government Act have not yet been enacted. 

Further, we also suggested that Congress consider strengthening the 
consumer privacy framework^® and review issues such as the adequacy 
of consumers’ ability to access, correct, and control their personal 
information; and privacy controls related to new technologies such as web 
tracking and mobile devices.®® However, these suggested changes have 
not yet been enacted. 

We also made a total of 29 recommendations to federal agencies to 
address the weaknesses identified. As of July 2018, 28 recommendations 
had not been implemented. These outstanding recommendations include 
6 priority recommendations to address weaknesses associated with. 


^^GAO, Smartphone Data: Information and Issues Regarding Surreptitious Tracking Apps 
That Can Facilitate Stalking, GAO-16-317 (Washington, D.C.: Apr. 21,2016). 

^®GAO, Face Recognition Technology: FBI Should Better Ensure Privacy and Accuracy, 
GAO-16-267 (Washington, D.C.: May 16, 2016). 

^®Pub. L. No. 93-579, 88 Stat. 1896 (1974) (codified as amended at 5 U.S.C. § 552a). 
^^Pub. L. No. 107-347, 116 Stat. 2899. 

^®GAO, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable 
Information, GAO-08-536 (Washington, D.C.: May 19, 2008). 

^®This framework presents a consumer privacy bill of rights, describes a stakeholder 
process to specify how the principles in that bill of rights would apply, and encourages 
Congress to provide the Federal Trade Commission with enforcement authorities for the 
bill of rights. 

ftD 

GAO, Information Resellers: Consumer Privacy Framework Needs to Reflect Changes 
in Technology and the Marketplace, GAO-13-663 (Washington, D.C.: Sept. 25, 2013). 
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among other things, publishing privacy impact assessments®^ and 
improving the accuracy of the FBI’s face recognition services. Until these 
recommendations are implemented, federal agencies will be challenged 
in their ability to protect privacy and sensitive data and ensure that its 
collection and use is appropriately limited. 

In addition to our prior work, we have several ongoing reviews related to 
protecting privacy and sensitive data. These include reviews of: 

• IRS’s taxpayer authentication efforts, including what steps the agency 
is taking to monitor and improve its authentication methods; 

• the extent to which the Department of Education’s Office of Federal 
Student Aid’s policies and procedures for overseeing non-school 
partners’ protection of federal student aid data align with federal 
requirements and guidance; 

• data security issues related to credit reporting agencies, including a 
review of the causes and impacts of the August 2017 Equifax data 
breach; 

• the extent to which Equifax assessed, responded to, and recovered 
from its August 2017 data breach; 

• federal agencies’ efforts to remove PI I from shared cyber threat 
indicators; and 

• how the federal government has overseen Internet privacy, including 
the roles of the Federal Communications Commission and the Federal 
Trade Commission, and strengths and weaknesses of the current 
oversight authorities. 

In summary, since 2010, we have made over 3,000 recommendations to 
agencies aimed at addressing the four cybersecurity challenges. 
Nevertheless, many agencies continue to be challenged in safeguarding 
their information systems and information, in part because many of these 
recommendations have not been implemented. Of the roughly 3,000 
recommendations made since 2010, nearly 1,000 had not been 
implemented as of July 2018. We have also designated 35 as priority 
recommendations, and as of July 2018, 31 had not been implemented. 


ft1 

Privacy impact assessments include an analysis of how personal information is 
collected, stored, shared, and managed in a federal system. 
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The federal government and the nation’s critical infrastructure are 
dependent on IT systems and electronic data, which make them highly 
vulnerable to a wide and evolving array of cyber-based threats. Securing 
these systems and data is vital to the nation’s security, prosperity, and 
well-being. Nevertheless, the security over these systems and data is 
inconsistent and urgent actions are needed to address ongoing 
cybersecurity and privacy challenges. Specifically, the federal 
government needs to implement a more comprehensive cybersecurity 
strategy and improve its oversight, including maintaining a qualified 
cybersecurity workforce; address security weaknesses in federal systems 
and information and enhance cyber incident response efforts; bolster the 
protection of cyber critical infrastructure; and prioritize efforts to protect 
individual’s privacy and Pll. Until our recommendations are addressed 
and actions are taken to address the four challenges we identified, the 
federal government, the national critical infrastructure, and the personal 
information of U.S. citizens will be increasingly susceptible to the 
multitude of cyber-related threats that exist. 

Chairmen Meadows and Hurd, Ranking Members Connolly and Kelly, 
and Members of the Subcommittees, this completes my prepared 
statement. I would be pleased to respond to any questions that you may 
have at this time. 
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